Dear Developers, Please Support Two Factor Authentication

Security is a topic all people in technology know is vitally important, but not all of us utilize best practices. Not practicing what you preach seems to be a trend in most industries. There are healthcare professionals who know how to take the best care of themselves and don’t, parents who only buy organic food for their kids and binge fast food, and tech gurus who have the same password for every single account in their name.

A personal story

I am guilty of the latter and it led to a really upsetting weekend when some lovely human hacked my mobile account and ordered themselves an iPhone X on my dime. If I would just simply practice what I believe at work (and share with my clients), then it would have easily been a hacking fail. Instead, the super creative name of my beloved childhood pet and my favorite numbers (insert sarcastic eye roll) led to a weekend full of phone calls, paperwork, and getting signed up for over four thousand newsletters from all over the world. I also finally gave in to multi-factor authentication and unique passwords autogenerated by my new favorite product, Last Pass. It is shameful to admit this happened to me, but it happens. To quote my mentor, “You win or you learn.” I learned.

Why did I overlook multi-factor authentication? Easy. I don’t do anything exciting, I don’t have massive bank accounts to drain, and I thought it wouldn’t happen to me. I do utilize the highest security practices at work, but when it comes to me, nope. I always used the excuse that it was bothersome and took too long. But all thanks to the really swell person who wanted a free iPhone X, that has changed and to be honest, it is much faster than having to figure out how to unsubscribe from all those newsletters.

Duplicate passwords

As soon as it hit me that I used the same dumb password for every account I had, I kicked into overdrive and started looking into security. I felt so violated that someone within a matter of minutes had gotten all of my personal information, and I knew it wouldn’t take very long for that to spread to other accounts, if they were so inclined. My first conversation was with a nice technical support person at my mobile phone provider. I asked her about setting up multi-factor authentication on my account, and she had no idea what I was talking about. She suggested that I change my password. How she was not well-versed with this question, and how to help me was beyond me. This is a big deal. I started looking into it and found how to activate two-factor authentication (2FA) on my account immediately.

Security planning

As a developer, I now look at security within applications a bit differently. I will no longer use applications or work with companies that do not implement 2FA, high-security measures and treat my personal information with care. I have done a lot of research recently on how to best implement it within the development process. This requires a massive amount of planning. You have to answer a million questions of how to implement this in your own application.

I brainstormed a list of things that would need to be decided before coding could begin, and it is a long list! Here is what I came up within just a few minutes of brainstorming:

How do you want to store user passwords?

What libraries will this require that you bring into your project, and how much time will it take to wire it up to play nice with your code.

Will 2FA be optional for your users?

How will your app keep track of who uses 2FA and who does not?

How do you want users to generate the 2FA options?

How will you deliver your 2FA codes?

Text messages, phone app, etc.

Validation options for your choices

What happens when a user gets a new device or loses one?

How do you account for getting around 2FA. This can be a bit of a beast to figure out. Here at Stackify, it usually involves a support ticket, and the participation of the user admin.

How long does your 2FA last?

Timing requirements

Device requirements

How do you plan to handle suspicious logins or lockouts?

And the list goes on and on…

Summary

I could continue to list more questions that need to be answered, but I think it is very obvious that when a company puts this much work into security decisions, they really have their user’s best interest at heart. You can obviously outsource this work too to make sure it is handled properly. There are plenty of companies and developers who specialize in security and would be happy to help, guide, or write what it is that you need. Whether or not you build it yourself is irrelevant to the user, they just want to make sure their information is safe with you and it needs to be done correctly.

Businesses, developers, and users should take multi-factor authentication very seriously (Stackify does!). You don’t have to be cool or exciting to get your information stolen and used against you. I now lock down my personal information like I have crazy high-level secrets in every single account… except for my kid’s lunch accounts. I invite hackers to feel free to break in and fill them up!

Megan Horton :Before joining Stackify as their Manager of Customer Success, Megan taught full stack development for three years. With a background in the .NET framework, she's a giant fangirl of C# but would be happy to nerd out with you about JavaScript, too.